Thursday, 5 November 2015

FDD-FL- LTE IPsec Introduction


1.Security Requirement of LTE system
LTE is a flat network with all-IP architecture, so it faces new challenges on transmission. The communication data of base station are transmitted by plain text, so the data can be easily deciphered, eavesdropped, counterfeited and tampered. And most of the base station nodes are placed in unsecure environment, so they are likely to be attacked. In addition, backhaul transmission is usually the third party network, so there are some security risks. IP protocol does not take the security factors into account.
The requirements of operators can be summarized as follows:
(a).Enables IPsec protocol functions in LTE system
(b). Supports basic algorithms
(c). Protects S1, X2 and OMC channel traffic under IPsec tunnel
(d). Multi-tunnel configuration, establish IPsec tunnel at the X2 interface for direct communication or indirect communication by routing from SeGW(IPsec GW).

2. IPsec Principle
IPsec technology is to protect the transmission security in the IP layer. By using encryption, authentication and other security technologies in the IP layer, the security of TCP/IP protocols are improved greatly. Compared with other technologies, IPsec has more flexibility in strategy, more versatility and higher efficiency, which enables low cost and less maintenance work. Therefore, IPsec is widely applied in router, SeGW and wireless base stations.
Figure 2-1  IPsec system architecture

 
 
The IPsec system includes IKE (Internet Key Exchange), AH (Authentication Header), ESP (Encapsulating Security Payload), encryption algorithm, verification algorithm and DOI (Domain of Interpretation).
IPsec provides two protocols for IP traffic security: AH and ESP.  AH provides connectionless integrity, data origin authentication and anti-attack and other security services; ESP provides confidentiality (encryption), connectionless integrity, data origin authentication and anti-attack and other security services. AH and ESP both have two modes: transport mode and tunnel mode. AH transmission mode will authenticate the IP header, and ESP transmission mode will not protect the IP header and extension header before the ESP header. Transmission mode is generally used in communication between the hosts, and the communication between the SeGWs must be tunnel mode. In the actual implementation, the host must support transport mode and tunnel mode, and the security gateway is only required to support tunnel mode. When the SeGW is regarded as target host, it should support the transport mode, for example, for security encryption of network channel.
Figure 2‑2  IPsec protection modes
 


IPsec key management includes key identification and distribution, including manual and automatic modes.  For the manual mode, the system administrator manually configures the keys for each system for communication with other systems. This mode is applicable in small-scale, relatively fixed distribution environment. For the automatic mode, the automatic key management system can create SA key automatically according to requirements, and this mode is applicable in large scale, changing distribution environment. The automatic key management has high flexibility, but it requires complex configuration, and needs software protocol support. So it is not suggested in a small system. IKE is the default IPsec automatic key management protocol, and it defines the standards for automatic verification of IPsec peer entity, security services negotiation and shared key generation. .
IKE implementation is divided into two phases:
Phase 1: ISAKMP entity peer establish a communication channel whose security has been authenticated. The implementation of Phase 1 consists of main mode and aggressive mode, and these two models can only be used in Phase 1. They both establish ISAKMP SA, and generate key material by the Diffie-Hellman exchange and keys for stage use.
l   Phase 2:  quick mode and this mode can only be used in Phase 2.
The parameters IKE needs to negotiate include encryption algorithms, HASH algorithm, authentication methods, Diffe-Hellman and other information.
PSK is an authentication mode used in IPsec negotiation. In this authentication mode, IPsec entities should both be configured with the same Pre-shared Key. When creating the IPsec tunnel, the Pre-shared Key will not be transported on the network. And IPsec entities just exchange the keying material. The IPsec entity creates the encryption and authentication key for IPsec data protection by using the keying material and the Pre-shared Key.
 3. IPsec PSK Negotiation Description
In LTE network, eNB connects with SeGW by IP backhaul. The EPC and OMC are all deployed in the security domain. ENB can communication with OMC/MME/SGW through the IPsec tunnel. The eNB should create IPsec tunnel with SeGW in the network. The IPsec network is deployed as below:
Figure 2-3  IPsec network of LTE system

 

In this network, SeGW should be configured with IPsec policy for eNB’s traffic. And eNB configure with the same PSK as being configured on the SeGW. The IPsec negotiation process in PSK mode is shown as below:
 Figure 2‑4  IPsec negotiation process in PSK mode
 

Budi Prasetyo

About Budi Prasetyo

All About LTE

Subscribe to this Blog via Email :